1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Trojan Downloader Wont Go Away

Discussion in 'Malware and Virus Removal Archive' started by Deelah, 2007/07/05.

Page 1 of 2
  1. 2007/07/05
    Deelah

    Deelah Inactive Thread Starter

    Joined:
    2007/07/05
    Messages:
    11
    Likes Received:
    0
    Hello. I have been trying to get rid of this Trojan for weeks but it won't leave!!! I run the Ad Aware scan and it says it is a Registry Key and can't delete or quarantine. I have also ran the AVG Virus scan but it doesnt find it. I have cleaned my registry a couple of times also. Here is the HiJack this log and Ad-Aware SE log:

    Logfile of HijackThis v1.99.1
    Scan saved at 7:35:26 AM, on 7/5/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Common Files\ISPCOMP\InstallService.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Athan\Athan.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Lexmark 4200 Series\lxbmbmon.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\CallWave\IAM.exe
    C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    C:\Program Files\Juno\exec.exe
    C:\Program Files\Juno\exec.exe
    C:\Program Files\Juno\qsacc\x1exec.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
    C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
    C:\Documents and Settings\Adillah\Desktop\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://admin.isp.netscape.com/sessi...romo=ADRESS-INFROM&client=3.0.0.80&partnerid=
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:7900
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 64.136.29.30;64.136.44.66;64.136.29.34;searchap.untd.com;127.0.0.1;localhost;*microsoft.com;*windowsupdate.com;*wustat.windows.com;*.pogo.com;*test-speed.com;liveupdate.symantecliveupdate.com;*symantec.com;*.nai.com;*.networkassociates.com;*.dir.untd.com;*.prod.untd.com;*.2mdn.net;cf.netzero.net;qs.netzero.net;*.advertising.com;<local>
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\Netscape Internet Service\Netscape Web Accelerator\pbhelper.dll
    O2 - BHO: Popup-Blocker Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\Juno\qsacc\X1IEBHO.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O3 - Toolbar: JunoBar - {5854FAC4-5BF0-47DD-B5A9-A5EA8CFF3CF4} - C:\Program Files\Juno\Toolbar.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Netscape] C:\Program Files\Common Files\ISPCOMP\InstallService.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [Lexmark 4200 Series] "C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe "
    O4 - HKLM\..\Run: [FaxCenterServer4_in_1] "C:\Program Files\Lexmark 4200 Series\Fax\fm3032.exe" /s
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe "
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
    O4 - HKLM\..\Run: [Athan] C:\Program Files\Athan\Athan.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Instant Access] C:\WINDOWS\system32\linkprd.exe /res
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
    O4 - HKCU\..\Run: [Juno_uoltray] C:\Program Files\Juno\exec.exe regrun
    O4 - HKCU\..\RunOnce: [untd_recovery] "C:\Program Files\Juno\qsacc\x1exec.exe "
    O4 - Global Startup: CallWave.lnk = C:\Program Files\CallWave\IAM.exe
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\Juno\qsacc\appres.dll/228
    O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\Juno\qsacc\appres.dll/227
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A1E71AA3-4CDE-4309-A4DB-2EC324B280CB}: NameServer = 64.136.28.120 64.136.44.73
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


    Please let me know if you need any other logs. Thank you!
     
    Last edited: 2007/07/05
    Deelah,
    #1
  2. 2007/07/05
    Deelah

    Deelah Inactive Thread Starter

    Joined:
    2007/07/05
    Messages:
    11
    Likes Received:
    0
    Ad Aware Log

    Ad-Aware SE Build 1.06r1
    Logfile Created on:Thursday, July 05, 2007 7:36:42 AM
    Created with Ad-Aware SE Personal, free for private use.
    Using definitions file:SE1R179 04.07.2007
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    References detected during the scan:
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    MRU List(TAC index:0):2 total references
    Tracking Cookie(TAC index:3):31 total references
    Win32.Trojandownloader.Zlob(TAC index:10):1 total references
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    Ad-Aware SE Settings
    ===========================
    Set : Search for negligible risk entries
    Set : Safe mode (always request confirmation)
    Set : Scan active processes
    Set : Scan registry
    Set : Deep-scan registry
    Set : Scan my IE Favorites for banned URLs
    Set : Scan my Hosts file

    Extended Ad-Aware SE Settings
    ===========================
    Set : Unload recognized processes & modules during scan
    Set : Scan registry for all users instead of current user only
    Set : Always try to unload modules before deletion
    Set : During removal, unload Explorer and IE if necessary
    Set : Let Windows remove files in use at next reboot
    Set : Delete quarantined objects after restoring
    Set : Include basic Ad-Aware settings in log file
    Set : Include additional Ad-Aware settings in log file
    Set : Include reference summary in log file
    Set : Include alternate data stream details in log file
    Set : Play sound at scan completion if scan locates critical objects


    7-5-2007 7:36:42 AM - Scan started. (Full System Scan)

    MRU List Object Recognized!
    Location: : S-1-5-21-1935655697-688789844-854245398-1004\software\microsoft\internet explorer\typedurls
    Description : list of recently entered addresses in microsoft internet explorer


    MRU List Object Recognized!
    Location: : S-1-5-21-1935655697-688789844-854245398-1004\software\microsoft\office\11.0\word\recent templates
    Description : list of recent templates used by microsoft word


    Listing running processes
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    #:1 [smss.exe]
    FilePath : \SystemRoot\System32\
    ProcessID : 396
    ThreadCreationTime : 7-5-2007 10:34:51 AM
    BasePriority : Normal


    #:2 [csrss.exe]
    FilePath : \??\C:\WINDOWS\system32\
    ProcessID : 456
    ThreadCreationTime : 7-5-2007 10:34:56 AM
    BasePriority : Normal


    #:3 [winlogon.exe]
    FilePath : \??\C:\WINDOWS\system32\
    ProcessID : 480
    ThreadCreationTime : 7-5-2007 10:34:58 AM
    BasePriority : High


    #:4 [services.exe]
    FilePath : C:\WINDOWS\system32\
    ProcessID : 524
    ThreadCreationTime : 7-5-2007 10:35:01 AM
    BasePriority : Normal
    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion : 5.1.2600.2180
    ProductName : Microsoft® Windows® Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Services and Controller app
    InternalName : services.exe
    LegalCopyright : © Microsoft Corporation. All rights reserved.
    OriginalFilename : services.exe

    #:5 [lsass.exe]
    FilePath : C:\WINDOWS\system32\
    ProcessID : 536
    ThreadCreationTime : 7-5-2007 10:35:01 AM
    BasePriority : Normal
    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion : 5.1.2600.2180
    ProductName : Microsoft® Windows® Operating System
    CompanyName : Microsoft Corporation
    FileDescription : LSA Shell (Export Version)
    InternalName : lsass.exe
    LegalCopyright : © Microsoft Corporation. All rights reserved.
    OriginalFilename : lsass.exe

    #:6 [ati2evxx.exe]
    FilePath : C:\WINDOWS\system32\
    ProcessID : 692
    ThreadCreationTime : 7-5-2007 10:35:08 AM
    BasePriority : Normal
    FileVersion : 6.14.10.4113
    ProductVersion : 6.14.10.4113
    ProductName : ATI External Event Utility for WindowsNT and Windows9X
    CompanyName : ATI Technologies Inc.
    FileDescription : ATI External Event Utility EXE Module
    InternalName : ATI2EVXX.EXE
    LegalCopyright : Copyright © 1999-2004 ATI Technologies Inc.
    OriginalFilename : ATI2EVXX.EXE

    #:7 [svchost.exe]
    FilePath : C:\WINDOWS\system32\
    ProcessID : 708
    ThreadCreationTime : 7-5-2007 10:35:08 AM
    BasePriority : Normal
    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion : 5.1.2600.2180
    ProductName : Microsoft® Windows® Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    LegalCopyright : © Microsoft Corporation. All rights reserved.
    OriginalFilename : svchost.exe

    #:8 [svchost.exe]
    FilePath : C:\WINDOWS\system32\
    ProcessID : 804
    ThreadCreationTime : 7-5-2007 10:35:09 AM
    BasePriority : Normal
    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion : 5.1.2600.2180
    ProductName : Microsoft® Windows® Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    LegalCopyright : © Microsoft Corporation. All rights reserved.
    OriginalFilename : svchost.exe

    #:9 [svchost.exe]
    FilePath : C:\WINDOWS\System32\
    ProcessID : 864
    ThreadCreationTime : 7-5-2007 10:35:10 AM
    BasePriority : Normal
    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion : 5.1.2600.2180
    ProductName : Microsoft® Windows® Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    LegalCopyright : © Microsoft Corporation. All rights reserved.
    OriginalFilename : svchost.exe

    #:10 [svchost.exe]
    FilePath : C:\WINDOWS\system32\
    ProcessID : 944
    ThreadCreationTime : 7-5-2007 10:35:11 AM
    BasePriority : Normal
    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion : 5.1.2600.2180
    ProductName : Microsoft® Windows® Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    LegalCopyright : © Microsoft Corporation. All rights reserved.
    OriginalFilename : svchost.exe

    #:11 [svchost.exe]
    FilePath : C:\WINDOWS\system32\
    ProcessID : 964
    ThreadCreationTime : 7-5-2007 10:35:12 AM
    BasePriority : Normal
    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion : 5.1.2600.2180
    ProductName : Microsoft® Windows® Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    LegalCopyright : © Microsoft Corporation. All rights reserved.
    OriginalFilename : svchost.exe

    #:12 [vsmon.exe]
    FilePath : C:\WINDOWS\system32\ZoneLabs\
    ProcessID : 1016
    ThreadCreationTime : 7-5-2007 10:35:13 AM
    BasePriority : Normal
    FileVersion : 7.0.337.000
    ProductVersion : 7.0.337.000
    ProductName : TrueVector Service
    CompanyName : Zone Labs, LLC
    FileDescription : TrueVector Service
    InternalName : vsmon
    LegalCopyright : Copyright © 1998-2006, Zone Labs, LLC
    OriginalFilename : vsmon.exe

    #:13 [ccsetmgr.exe]
    FilePath : C:\Program Files\Common Files\Symantec Shared\
    ProcessID : 1164
    ThreadCreationTime : 7-5-2007 10:35:34 AM
    BasePriority : Normal
    FileVersion : 103.5.6.3
    ProductVersion : 103.5.6.3
    ProductName : Client and Host Security Platform
    CompanyName : Symantec Corporation
    FileDescription : Symantec Settings Manager Service
    InternalName : ccSetMgr
    LegalCopyright : Copyright (c) 2000-2005 Symantec Corporation. All rights reserved.
    OriginalFilename : ccSetMgr.exe

    #:14 [ccevtmgr.exe]
    FilePath : C:\Program Files\Common Files\Symantec Shared\
    ProcessID : 1192
    ThreadCreationTime : 7-5-2007 10:35:35 AM
    BasePriority : Normal
    FileVersion : 103.5.6.3
    ProductVersion : 103.5.6.3
    ProductName : Client and Host Security Platform
    CompanyName : Symantec Corporation
    FileDescription : Symantec Event Manager Service
    InternalName : ccEvtMgr
    LegalCopyright : Copyright (c) 2000-2005 Symantec Corporation. All rights reserved.
    OriginalFilename : ccEvtMgr.exe

    #:15 [lexbces.exe]
    FilePath : C:\WINDOWS\system32\
    ProcessID : 1328
    ThreadCreationTime : 7-5-2007 10:35:37 AM
    BasePriority : Normal
    FileVersion : 9.41
    ProductVersion : 9.41
    ProductName : MarkVision for Windows (32 bit)
    CompanyName : Lexmark International, Inc.
    FileDescription : LexBce Service
    InternalName : LexBce Service
    LegalCopyright : (C) 1993 - 2003 Lexmark International, Inc.
    OriginalFilename : LexBceS.exe

    #:16 [spoolsv.exe]
    FilePath : C:\WINDOWS\system32\
    ProcessID : 1352
    ThreadCreationTime : 7-5-2007 10:35:37 AM
    BasePriority : Normal
    FileVersion : 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)
    ProductVersion : 5.1.2600.2696
    ProductName : Microsoft® Windows® Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Spooler SubSystem App
    InternalName : spoolsv.exe
    LegalCopyright : © Microsoft Corporation. All rights reserved.
    OriginalFilename : spoolsv.exe

    #:17 [lexpps.exe]
    FilePath : C:\WINDOWS\system32\
    ProcessID : 1360
    ThreadCreationTime : 7-5-2007 10:35:37 AM
    BasePriority : Normal
    FileVersion : 9.41
    ProductVersion : 9.41
    ProductName : MarkVision for Windows (32 bit)
    CompanyName : Lexmark International, Inc.
    FileDescription : LEXPPS.EXE
    InternalName : LEXPPS
    LegalCopyright : (C) 1993 - 2003 Lexmark International, Inc.
    OriginalFilename : LEXPPS.EXE
    Comments : MarkVision for Windows '95 New P2P Server (32-bit)

    #:18 [avgamsvr.exe]
    FilePath : C:\PROGRA~1\Grisoft\AVGFRE~1\
    ProcessID : 1468
    ThreadCreationTime : 7-5-2007 10:35:39 AM
    BasePriority : Normal
    FileVersion : 7.5.0.453
    ProductVersion : 7.5.0.453
    ProductName : AVG Anti-Virus system
    CompanyName : GRISOFT, s.r.o.
    FileDescription : AVG Alert Manager
    InternalName : avgamsvr
    LegalCopyright : Copyright © 2007 GRISOFT, s.r.o.
    OriginalFilename : avgamsvr.EXE

    #:19 [avgupsvc.exe]
    FilePath : C:\PROGRA~1\Grisoft\AVGFRE~1\
    ProcessID : 1508
    ThreadCreationTime : 7-5-2007 10:35:41 AM
    BasePriority : Normal
    FileVersion : 7.5.0.420
    ProductVersion : 7.5.0.420
    ProductName : AVG 7.5 Anti-Virus System
    CompanyName : GRISOFT, s.r.o.
    FileDescription : AVG Update Service
    InternalName : avgupsvc
    LegalCopyright : Copyright © 2006 GRISOFT, s.r.o.
    OriginalFilename : avgupdsvc.EXE

    #:20 [avgemc.exe]
    FilePath : C:\PROGRA~1\Grisoft\AVGFRE~1\
    ProcessID : 1532
    ThreadCreationTime : 7-5-2007 10:35:42 AM
    BasePriority : Normal
    FileVersion : 7.5.0.460
    ProductVersion : 7.5.0.460
    ProductName : AVG Anti-Virus system
    CompanyName : GRISOFT, s.r.o.
    FileDescription : AVG E-Mail Scanner
    InternalName : avgemc
    LegalCopyright : Copyright © 2007 GRISOFT, s.r.o.
    OriginalFilename : avgemc.exe

    #:21 [defwatch.exe]
    FilePath : C:\Program Files\Symantec AntiVirus\
    ProcessID : 1564
    ThreadCreationTime : 7-5-2007 10:35:42 AM
    BasePriority : Normal
    FileVersion : 10.0.2.2000
    ProductVersion : 10.0.2.2000
    ProductName : Symantec AntiVirus
    CompanyName : Symantec Corporation
    FileDescription : Virus Definition Daemon
    InternalName : DefWatch
    LegalCopyright : Copyright 1998 - 2005 Symantec Corporation. All rights reserved.
    OriginalFilename : DefWatch.exe

    #:22 [mdm.exe]
    FilePath : C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\
    ProcessID : 1600
    ThreadCreationTime : 7-5-2007 10:35:43 AM
    BasePriority : Normal
    FileVersion : 7.00.9466
    ProductVersion : 7.00.9466
    ProductName : Microsoft® Visual Studio .NET
    CompanyName : Microsoft Corporation
    FileDescription : Machine Debug Manager
    InternalName : mdm.exe
    LegalCopyright : © Microsoft Corporation. All rights reserved.
    OriginalFilename : mdm.exe

    #:23 [svchost.exe]
    FilePath : C:\WINDOWS\system32\
    ProcessID : 1656
    ThreadCreationTime : 7-5-2007 10:35:44 AM
    BasePriority : Normal
    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion : 5.1.2600.2180
    ProductName : Microsoft® Windows® Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    LegalCopyright : © Microsoft Corporation. All rights reserved.
    OriginalFilename : svchost.exe

    #:24 [rtvscan.exe]
    FilePath : C:\Program Files\Symantec AntiVirus\
    ProcessID : 1684
    ThreadCreationTime : 7-5-2007 10:35:46 AM
    BasePriority : Normal
    FileVersion : 10.0.2.2000
    ProductVersion : 10.0.2.2000
    ProductName : Symantec AntiVirus
    CompanyName : Symantec Corporation
    FileDescription : Symantec AntiVirus
    LegalCopyright : Copyright 2005 Symantec Corporation. All rights reserved.

    #:25 [alg.exe]
    FilePath : C:\WINDOWS\System32\
    ProcessID : 128
    ThreadCreationTime : 7-5-2007 10:35:55 AM
    BasePriority : Normal
    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion : 5.1.2600.2180
    ProductName : Microsoft® Windows® Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Application Layer Gateway Service
    InternalName : ALG.exe
    LegalCopyright : © Microsoft Corporation. All rights reserved.
    OriginalFilename : ALG.exe

    #:26 [ati2evxx.exe]
    FilePath : C:\WINDOWS\system32\
    ProcessID : 2420
    ThreadCreationTime : 7-5-2007 10:40:37 AM
    BasePriority : Normal
    FileVersion : 6.14.10.4113
    ProductVersion : 6.14.10.4113
    ProductName : ATI External Event Utility for WindowsNT and Windows9X
    CompanyName : ATI Technologies Inc.
    FileDescription : ATI External Event Utility EXE Module
    InternalName : ATI2EVXX.EXE
    LegalCopyright : Copyright © 1999-2004 ATI Technologies Inc.
    OriginalFilename : ATI2EVXX.EXE

    #:27 [explorer.exe]
    FilePath : C:\WINDOWS\
    ProcessID : 2564
    ThreadCreationTime : 7-5-2007 10:40:39 AM
    BasePriority : Normal
    FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion : 6.00.2900.2180
    ProductName : Microsoft® Windows® Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Windows Explorer
    InternalName : explorer
    LegalCopyright : © Microsoft Corporation. All rights reserved.
    OriginalFilename : EXPLORER.EXE

    #:28 [ccapp.exe]
    FilePath : C:\Program Files\Common Files\Symantec Shared\
    ProcessID : 2652
    ThreadCreationTime : 7-5-2007 10:40:44 AM
    BasePriority : Normal
    FileVersion : 103.5.6.3
    ProductVersion : 103.5.6.3
    ProductName : Client and Host Security Platform
    CompanyName : Symantec Corporation
    FileDescription : Symantec User Session
    InternalName : ccApp
    LegalCopyright : Copyright (c) 2000-2005 Symantec Corporation. All rights reserved.
    OriginalFilename : ccApp.exe

    #:29 [vptray.exe]
    FilePath : C:\PROGRA~1\SYMANT~1\
    ProcessID : 2660
    ThreadCreationTime : 7-5-2007 10:40:44 AM
    BasePriority : Normal
    FileVersion : 10.0.2.2000
    ProductVersion : 10.0.2.2000
    ProductName : Symantec AntiVirus
    CompanyName : Symantec Corporation
    FileDescription : Symantec AntiVirus
    LegalCopyright : Copyright 2005 Symantec Corporation. All rights reserved.

    #:30 [atiptaxx.exe]
    FilePath : C:\Program Files\ATI Technologies\ATI Control Panel\
    ProcessID : 2668
    ThreadCreationTime : 7-5-2007 10:40:44 AM
    BasePriority : Normal
    FileVersion : 6.14.10.5142
    ProductVersion : 6.14.10.5142
    ProductName : ATI Desktop Component
    CompanyName : ATI Technologies, Inc.
    FileDescription : ATI Desktop Control Panel
    InternalName : Atiptaxx.exe
    LegalCopyright : Copyright (C) 1998-2005 ATI Technologies Inc.
    OriginalFilename : Atiptaxx.exe

    #:31 [installservice.exe]
    FilePath : C:\Program Files\Common Files\ISPCOMP\
    ProcessID : 2688
    ThreadCreationTime : 7-5-2007 10:40:44 AM
    BasePriority : Normal
    FileVersion : 3.0.1.1
    ProductVersion : 3.0.1.0
    ProductName : Netscape Internet Service
    CompanyName : Netscape Communications Corporation
    InternalName : InstallService.exe
    LegalTrademarks : Netscape

    #:32 [avgcc.exe]
    FilePath : C:\PROGRA~1\Grisoft\AVGFRE~1\
    ProcessID : 2696
    ThreadCreationTime : 7-5-2007 10:40:44 AM
    BasePriority : Normal
    FileVersion : 7.5.0.460
    ProductVersion : 7.5.0.460
    ProductName : AVG Anti-Virus system
    CompanyName : GRISOFT, s.r.o.
    FileDescription : AVG Control Center
    InternalName : AvgCC
    LegalCopyright : Copyright © 2007 GRISOFT, s.r.o.
    OriginalFilename : AvgCC.EXE

    #:33 [lxbmbmgr.exe]
    FilePath : C:\Program Files\Lexmark 4200 Series\
    ProcessID : 2704
    ThreadCreationTime : 7-5-2007 10:40:44 AM
    BasePriority : Normal
    FileVersion : 0.1.25.0
    ProductVersion : 0.1.25.0
    ProductName : Button Manager Executable
    CompanyName : Lexmark International, Inc.
    FileDescription : Lexmark 4200 Series Button Manager
    InternalName : lxbmbmgr.exe
    LegalCopyright : (C) 2002 Lexmark International, Inc.
    OriginalFilename : lxbmbmgr.exe

    #:34 [jusched.exe]
    FilePath : C:\Program Files\Java\jre1.5.0_06\bin\
    ProcessID : 2720
    ThreadCreationTime : 7-5-2007 10:40:44 AM
    BasePriority : Normal


    #:35 [qttask.exe]
    FilePath : C:\Program Files\QuickTime\
    ProcessID : 2728
    ThreadCreationTime : 7-5-2007 10:40:44 AM
    BasePriority : Normal
    FileVersion : 6.4
    ProductVersion : QuickTime 6.4
    ProductName : QuickTime
    CompanyName : Apple Computer, Inc.
    InternalName : QuickTime Task
    LegalCopyright : © Apple Computer, Inc. 2001-2003
    OriginalFilename : QTTask.exe

    #:36 [apdproxy.exe]
    FilePath : C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\
    ProcessID : 2736
    ThreadCreationTime : 7-5-2007 10:40:45 AM
    BasePriority : Normal


    #:37 [viewmgr.exe]
    FilePath : C:\Program Files\Viewpoint\Viewpoint Manager\
    ProcessID : 2744
    ThreadCreationTime : 7-5-2007 10:40:45 AM
    BasePriority : Normal
    FileVersion : 2, 0, 0, 42
    ProductVersion : 2, 0, 0, 42
    ProductName : Viewpoint Manager
    CompanyName : Viewpoint Corporation
    FileDescription : ViewMgr
    InternalName : Viewpoint Manager
    LegalCopyright : Copyright © 2004
    OriginalFilename : ViewMgr.exe
    Comments : Viewpoint Manager

    #:38 [zlclient.exe]
    FilePath : C:\Program Files\Zone Labs\ZoneAlarm\
    ProcessID : 2776
    ThreadCreationTime : 7-5-2007 10:40:46 AM
    BasePriority : Normal
    FileVersion : 7.0.337.000
    ProductVersion : 7.0.337.000
    ProductName : ZoneAlarm Client
    CompanyName : Zone Labs, LLC
    FileDescription : ZoneAlarm Client
    InternalName : zlclient
    LegalCopyright : Copyright © 1998-2006, Zone Labs, LLC
    OriginalFilename : zlclient.exe

    #:39 [athan.exe]
    FilePath : C:\Program Files\Athan\
    ProcessID : 2800
    ThreadCreationTime : 7-5-2007 10:40:47 AM
    BasePriority : Normal
    FileVersion : 3.00
    ProductVersion : 3.00
    ProductName : Athan
    CompanyName : www.IslamicFinder.org
    FileDescription : Automatic Athan (Azan) five times a day for every prayer time. It covers more than 5 million cities, towns, and villages all over the world.
    InternalName : Athan
    OriginalFilename : Athan.exe

    #:40 [msmsgs.exe]
    FilePath : C:\Program Files\Messenger\
    ProcessID : 2836
    ThreadCreationTime : 7-5-2007 10:40:48 AM
    BasePriority : Normal
    FileVersion : 4.7.3001
    ProductVersion : Version 4.7.3001
    ProductName : Messenger
    CompanyName : Microsoft Corporation
    FileDescription : Windows Messenger
    InternalName : msmsgs
    LegalCopyright : Copyright (c) Microsoft Corporation 2004
    LegalTrademarks : Microsoft(R) is a registered trademark of Microsoft Corporation in the U.S. and/or other countries.
    OriginalFilename : msmsgs.exe

    #:41 [lxbmbmon.exe]
    FilePath : C:\Program Files\Lexmark 4200 Series\
    ProcessID : 2844
    ThreadCreationTime : 7-5-2007 10:40:48 AM
    BasePriority : Normal
    FileVersion : 2, 0, 0, 1
    ProductVersion : 2, 0, 0, 1
    ProductName : Button Monitor Executable
    CompanyName : Lexmark International, Inc.
    FileDescription : ACMonitor
    InternalName : ACMonitor
    LegalCopyright : Copyright © 2003
    OriginalFilename : ACMonitor.exe

    #:42 [ctfmon.exe]
    FilePath : C:\WINDOWS\system32\
    ProcessID : 2872
    ThreadCreationTime : 7-5-2007 10:40:50 AM
    BasePriority : Normal
    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion : 5.1.2600.2180
    ProductName : Microsoft® Windows® Operating System
    CompanyName : Microsoft Corporation
    FileDescription : CTF Loader
    InternalName : CTFMON
    LegalCopyright : © Microsoft Corporation. All rights reserved.
    OriginalFilename : CTFMON.EXE

    #:43 [iam.exe]
    FilePath : C:\Program Files\CallWave\
    ProcessID : 3108
    ThreadCreationTime : 7-5-2007 10:41:08 AM
    BasePriority : Normal
    FileVersion : 3.09.10 (9-March-2007)
    ProductVersion : 3.09.10 (9-March-2007)
    ProductName : CallWave Service
    CompanyName : CallWave, Inc.
    FileDescription : Internet Answering Machine
    InternalName : CallApp
    LegalCopyright : Copyright © 1999-2003 CallWave, Inc.
    OriginalFilename : CallApp.exe

    #:44 [easyshare.exe]
    FilePath : C:\Program Files\Kodak\Kodak EasyShare software\bin\
    ProcessID : 3152
    ThreadCreationTime : 7-5-2007 10:41:11 AM
    BasePriority : Normal
    FileVersion : 5, 3, 33, 27
    ProductVersion : 6, 0, 1, 18
    ProductName : KODAK EasyShare Software
    FileDescription : KODAK EasyShare Software
    InternalName : EasyShare
    LegalCopyright : © Eastman Kodak Company, 2002-2006. All Rights Reserved.
    OriginalFilename : EasyShare.exe

    #:45 [exec.exe]
    FilePath : C:\Program Files\Juno\
    ProcessID : 3668
    ThreadCreationTime : 7-5-2007 10:54:17 AM
    BasePriority : Normal
    FileVersion : 4, 3, 0, 0
    ProductVersion : 4, 3, 0, 0
    CompanyName : NetZero
    FileDescription : ZCast
    InternalName : ZCOM_exec
    LegalCopyright : Copyright © 2002 United Online, Inc.

    #:46 [exec.exe]
    FilePath : C:\Program Files\Juno\
    ProcessID : 368
    ThreadCreationTime : 7-5-2007 10:54:18 AM
    BasePriority : Normal
    FileVersion : 4, 3, 0, 0
    ProductVersion : 4, 3, 0, 0
    CompanyName : NetZero
    FileDescription : ZCast
    InternalName : ZCOM_exec
    LegalCopyright : Copyright © 2002 United Online, Inc.

    #:47 [x1exec.exe]
    FilePath : C:\Program Files\Juno\qsacc\
    ProcessID : 2992
    ThreadCreationTime : 7-5-2007 10:54:22 AM
    BasePriority : Normal
    FileVersion : 3.8.00
    ProductVersion : 3.8.00
    ProductName : Juno JunoTurbo
    CompanyName : Juno Online Services, Inc.
    FileDescription : Juno JunoTurbo
    InternalName : x1exec.exe
    LegalCopyright : Copyright © 2001-2005 Juno Online Services, Inc.
    OriginalFilename : x1exec.exe

    #:48 [iexplore.exe]
    FilePath : C:\Program Files\Internet Explorer\
    ProcessID : 828
    ThreadCreationTime : 7-5-2007 10:55:53 AM
    BasePriority : Normal
    FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion : 6.00.2900.2180
    ProductName : Microsoft® Windows® Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Internet Explorer
    InternalName : iexplore
    LegalCopyright : © Microsoft Corporation. All rights reserved.
    OriginalFilename : IEXPLORE.EXE

    #:49 [ad-aware.exe]
    FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
    ProcessID : 3624
    ThreadCreationTime : 7-5-2007 11:12:08 AM
    BasePriority : Normal
    FileVersion : 6.2.0.236
    ProductVersion : SE 106
    ProductName : Lavasoft Ad-Aware SE
    CompanyName : Lavasoft Sweden
    FileDescription : Ad-Aware SE Core application
    InternalName : Ad-Aware.exe
    LegalCopyright : Copyright © Lavasoft AB Sweden
    OriginalFilename : Ad-Aware.exe
    Comments : All Rights Reserved

    #:50 [winword.exe]
    FilePath : C:\Program Files\Microsoft Office\OFFICE11\
    ProcessID : 240
    ThreadCreationTime : 7-5-2007 11:30:46 AM
    BasePriority : Normal


    Memory scan result:
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    New critical objects: 0
    Objects found so far: 2


    Started registry scan
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    Win32.Trojandownloader.Zlob Object Recognized!
    Type : Regkey
    Data :
    TAC Rating : 10
    Category : Malware
    Comment :
    Rootkey : HKEY_CLASSES_ROOT
    Object : clsid\{b8c5186e-ec37-4889-9c2e-f73649ffb7bb}

    Registry Scan result:
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    New critical objects: 1
    Objects found so far: 3


    Started deep registry scan
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    Deep registry scan result:
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    New critical objects: 0
    Objects found so far: 3


    Started Tracking Cookie scan
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


    Tracking cookie scan result:
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    New critical objects: 0
    Objects found so far: 3


    Tracking Cookie Object Recognized!
    Type : IECache Entry
    Data : hassan@2o7[2].txt
    TAC Rating : 3
    Category : Data Miner
    Comment :
    Value : C:\Documents and Settings\Hassan\Cookies\hassan@2o7[2].txt

    Tracking Cookie Object Recognized!
    Type : IECache Entry
    Data : hassan@ad.yieldmanager[1].txt
    TAC Rating : 3
    Category : Data Miner
    Comment :
    Value : C:\Documents and Settings\Hassan\Cookies\hassan@ad.yieldmanager[1].txt

    Tracking Cookie Object Recognized!
    Type : IECache Entry
    Data : hassan@adrevolver[1].txt
    TAC Rating : 3
    Category : Data Miner
    Comment :
    Value : C:\Documents and Settings\Hassan\Cookies\hassan@adrevolver[1].txt

    Tracking Cookie Object Recognized!
    Type : IECache Entry
    Data : hassan@ads.addynamix[2].txt
    TAC Rating : 3
    Category : Data Miner
    Comment :
    Value : C:\Documents and Settings\Hassan\Cookies\hassan@ads.addynamix[2].txt

    Tracking Cookie Object Recognized!
    Type : IECache Entry
    Data : hassan@ads.pointroll[2].txt
    TAC Rating : 3
    Category : Data Miner
    Comment :
    Value : C:\Documents and Settings\Hassan\Cookies\hassan@ads.pointroll[2].txt

    Tracking Cookie Object Recognized!
    Type : IECache Entry
    Data : hassan@adserver[1].txt
    TAC Rating : 3
    Category : Data Miner
    Comment :
    Value : C:\Documents and Settings\Hassan\Cookies\hassan@adserver[1].txt

    Tracking Cookie Object Recognized!
    Type : IECache Entry
    Data : hassan@advertising[1].txt
    TAC Rating : 3
    Category : Data Miner
    Comment :
    Value : C:\Documents and Settings\Hassan\Cookies\hassan@advertising[1].txt

    Tracking Cookie Object Recognized!
    Type : IECache Entry
    Data : hassan@atdmt[2].txt
    TAC Rating : 3
    Category : Data Miner
    Comment :
    Value : C:\Documents and Settings\Hassan\Cookies\hassan@atdmt[2].txt

    Tracking Cookie Object Recognized!
    Type : IECache Entry
    Data : hassan@bluestreak[2].txt
    TAC Rating : 3
    Category : Data Miner
    Comment :
    Value : C:\Documents and Settings\Hassan\Cookies\hassan@bluestreak[2].txt

    Tracking Cookie Object Recognized!
    Type : IECache Entry
    Data : hassan@bravenet[1].txt
    TAC Rating : 3
    Category : Data Miner
    Comment :
    Value : C:\Documents and Settings\Hassan\Cookies\hassan@bravenet[1].txt


    Disk Scan Result for C:\
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    New critical objects: 0
    Objects found so far: 34


    Scanning Hosts file......
    Hosts file location: "C:\WINDOWS\system32\drivers\etc\hosts ".
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    Hosts file scan result:
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    1 entries scanned.
    New critical objects:0
    Objects found so far: 34




    Performing conditional scans...
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    Conditional scan result:
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    New critical objects: 0
    Objects found so far: 34

    8:12:48 AM Scan Complete

    Summary Of This Scan
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    Total scanning time:00:36:05.334
    Objects scanned:170115
    Objects identified:46
    Objects ignored:14
    New critical objects:32
     
    Deelah,
    #2


  3. to hide this advert.

  4. 2007/07/07
    TonyT

    TonyT SuperGeek Staff

    Joined:
    2002/01/18
    Messages:
    9,072
    Likes Received:
    400
    Rescan w/ HjT and put a check next to the following, then press the Fix button:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    O4 - HKCU\..\Run: [Instant Access] C:\WINDOWS\system32\linkprd.exe /res

    note, uninstall Instant Access via add-remove programs if listed there.

    Rescan comp w/ updated Adaware and updated Symantec. When finished, turn off System Restore:

    1. rt click My Computer icon > select Properties.
    2. click System Restore tab > put check in Turn off System Restore on all drives and follow the prompts.

    reboot

    rescan w/ Adaware & post results.
     
    TonyT,
    #3
  5. 2007/07/07
    Deelah

    Deelah Inactive Thread Starter

    Joined:
    2007/07/05
    Messages:
    11
    Likes Received:
    0

    Okay I have followed all of the steps except removing Instant Access from the add-remove programs since it was not listed. After updating Symantec it found two infections and deleted them. Here is the new Add Aware log. Thank you so much for taking the time to reply!
     
    Last edited: 2007/07/08
    Deelah,
    #4
  6. 2007/07/07
    TeMerc

    TeMerc Inactive Alumni

    Joined:
    2006/05/13
    Messages:
    3,226
    Likes Received:
    4
    Deelah, please do not post Ad-Aware logs, we don't use those for any analysis.
     
    TeMerc,
    #5
  7. 2007/07/08
    TonyT

    TonyT SuperGeek Staff

    Joined:
    2002/01/18
    Messages:
    9,072
    Likes Received:
    400
    I should have said, "recan and post another HjT log and also tell us what adaware found. ".
    And also, if using other applications that quarantine files, delete the quarantined archives before scanning again.
    tt
     
    TonyT,
    #6
  8. 2007/07/08
    Deelah

    Deelah Inactive Thread Starter

    Joined:
    2007/07/05
    Messages:
    11
    Likes Received:
    0

    Hello. Ad aware conitinues to find the same trojan. I delete it every time and when I rescan there it is again!!! Every couple of days symantic or AVG finds other trojan's or spyware that this downloader let in.

    Win32.Trojandownloader.Zlob Object Recognized!
    Type : Regkey
    Data :
    TAC Rating : 10
    Category : Malware
    Comment :
    Rootkey : HKEY_CLASSES_ROOT
    Object : clsid\{b8c5186e-ec37-4889-9c2e-f73649ffb7bb}


    Okay here is the Hjt log.

    Logfile of HijackThis v1.99.1
    Scan saved at 10:32:46 AM, on 7/8/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Common Files\ISPCOMP\InstallService.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\Lexmark 4200 Series\lxbmbmon.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Athan\Athan.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\CallWave\IAM.exe
    C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Juno\exec.exe
    C:\Program Files\Netscape Internet Service\NSClient.exe
    C:\Program Files\Common Files\ISPCOMP\SystemTrayIcon.exe
    C:\Program Files\Netscape Internet Service\_NSWatchman.exe
    C:\Program Files\Juno\exec.exe
    C:\Program Files\Juno\qsacc\x1exec.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
    C:\Documents and Settings\Adillah\Desktop\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.juno.com/s/search?r=minisearch
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.juno.com/s/search?r=minisearch
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.juno.com/s/search?r=minisearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.juno.com/s/search?r=minisearch
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.juno.com/s/search?r=minisearch
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.juno.com/s/search?r=minisearch
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://admin.isp.netscape.com/sessi...romo=ADRESS-INFROM&client=3.0.0.80&partnerid=
    R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\JUSearch\SearchEnh1.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\Netscape Internet Service\Netscape Web Accelerator\pbhelper.dll
    O2 - BHO: Popup-Blocker Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\Juno\qsacc\X1IEBHO.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O3 - Toolbar: JunoBar - {5854FAC4-5BF0-47DD-B5A9-A5EA8CFF3CF4} - C:\Program Files\Juno\Toolbar.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Netscape] C:\Program Files\Common Files\ISPCOMP\InstallService.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [Lexmark 4200 Series] "C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe "
    O4 - HKLM\..\Run: [FaxCenterServer4_in_1] "C:\Program Files\Lexmark 4200 Series\Fax\fm3032.exe" /s
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe "
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
    O4 - HKLM\..\Run: [Athan] C:\Program Files\Athan\Athan.exe
    O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
    O4 - HKCU\..\Run: [Juno_uoltray] C:\Program Files\Juno\exec.exe regrun
    O4 - HKCU\..\Run: [spc_w] "C:\Program Files\JUSearch\juspc.exe" -w
    O4 - HKCU\..\RunOnce: [untd_recovery] "C:\Program Files\Juno\qsacc\x1exec.exe "
    O4 - Global Startup: CallWave.lnk = C:\Program Files\CallWave\IAM.exe
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\Juno\qsacc\appres.dll/228
    O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\Juno\qsacc\appres.dll/227
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A1E71AA3-4CDE-4309-A4DB-2EC324B280CB}: NameServer = 205.188.146.145
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
     
    Deelah,
    #7
  9. 2007/07/08
    TonyT

    TonyT SuperGeek Staff

    Joined:
    2002/01/18
    Messages:
    9,072
    Likes Received:
    400
    1. uninstall SpywareBot and replace it with Spybot Search & Destroy.
    http://www.safer-networking.org/

    2. uninstall Viewpoint manager

    3. It is not recommended to have 2 antivirus programs running at the same time. You are using AVG and Symantec at same time.

    4. open Symantic and delete all quarrantined files.

    5. open AVG Control center and delete all quarrantined files.

    6. reboot computer in Safe Mode: tap on the F8 key during boot and when get the boot menu use the arrow key to select Safe Mode (DON'T select Safe Mode w/ Networking)

    7. rescan with HijackThis & post the log.
     
    TonyT,
    #8
  10. 2007/07/09
    Deelah

    Deelah Inactive Thread Starter

    Joined:
    2007/07/05
    Messages:
    11
    Likes Received:
    0
    Okay I have done everything. I ran the spybot and deleted what it found out of quarantine also. However I don't know how to turn the anti virus programs off. when I exit they just come back on later or when I reboot.
    note* the trojan still shows up in Ad aware.

    Hi jackthis log:


    Logfile of HijackThis v1.99.1
    Scan saved at 5:47:35 AM, on 7/9/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Documents and Settings\Adillah\Desktop\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://admin.isp.netscape.com/sessi...romo=ADRESS-INFROM&client=3.0.0.80&partnerid=
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 64.136.29.30;64.136.44.66;64.136.29.34;searchap.untd.com;127.0.0.1;localhost;*microsoft.com;*windowsupdate.com;*wustat.windows.com;*.pogo.com;*test-speed.com;liveupdate.symantecliveupdate.com;*symantec.com;*.nai.com;*.networkassociates.com;*.dir.untd.com;*.prod.untd.com;*.2mdn.net;cf.netzero.net;qs.netzero.net;*.advertising.com;<local>
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\Netscape Internet Service\Netscape Web Accelerator\pbhelper.dll
    O2 - BHO: Popup-Blocker Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\Juno\qsacc\X1IEBHO.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O3 - Toolbar: JunoBar - {5854FAC4-5BF0-47DD-B5A9-A5EA8CFF3CF4} - C:\Program Files\Juno\Toolbar.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Netscape] C:\Program Files\Common Files\ISPCOMP\InstallService.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [Lexmark 4200 Series] "C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe "
    O4 - HKLM\..\Run: [FaxCenterServer4_in_1] "C:\Program Files\Lexmark 4200 Series\Fax\fm3032.exe" /s
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe "
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
    O4 - HKLM\..\Run: [Athan] C:\Program Files\Athan\Athan.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
    O4 - HKCU\..\Run: [Juno_uoltray] C:\Program Files\Juno\exec.exe regrun
    O4 - Global Startup: CallWave.lnk = C:\Program Files\CallWave\IAM.exe
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\Juno\qsacc\appres.dll/228
    O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\Juno\qsacc\appres.dll/227
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
     
    Deelah,
    #9
  11. 2007/07/09
    TonyT

    TonyT SuperGeek Staff

    Joined:
    2002/01/18
    Messages:
    9,072
    Likes Received:
    400
    Go to Start > Run
    type this: regedit

    Click ONE time on HKEY_CLASSES_ROOT
    Go to Edit Menu > Export
    Export the selected folder to My Documents and name it HKCR-BAK

    next:

    Go to Edit Menu > Find
    copy+paste this into the Find dialog:
    Code:
    {b8c5186e-ec37-4889-9c2e-f73649ffb7bb}
    look in left side for the opened folder icon, rt click it & delete it.
    Caution, delete ONLY the folder that comes up as a result of Find, don't delete anything else!

    I'm not convinced that you are still infected, but rather adaware cannot remove that registry key for some odd reason.

    Are you still having any comp problems?
     
    TonyT,
    #10
  12. 2007/07/09
    Deelah

    Deelah Inactive Thread Starter

    Joined:
    2007/07/05
    Messages:
    11
    Likes Received:
    0
    Hello. When I tried to delete it, a message came up and said "cannot delete {b8c5186e-ec37-4889-9c2e-f73649ffb7bb}: Error while deleting key. "

    Also I have not accessed any important files on the computer because besides that trojan downloader when I scan with AVG or Symantic they sometimes find other trojans or spyware. Also I have found very explicit sites :eek: inside my temporary internet files and cookies like they were being surfed from the computer and no one else has used it. Besides also being slower then normal. I hope this helps :)
    Thank you so much for taking the time to help me!
     
    Deelah,
    #11
  13. 2007/07/10
    TonyT

    TonyT SuperGeek Staff

    Joined:
    2002/01/18
    Messages:
    9,072
    Likes Received:
    400
    Download this utility and save it to the Desktop. http://www.f-secure.com/tools/f-spyaxe.zip
    1. Unzip f-spyaxe.zip to the desktop.
    2. Reboot the computer into safe mode by pressing "F8" at boot up.
    See Microsoft's page for detailed instructions.
    http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/boot_failsafe.mspx
    3. Double click f-spyaxe.reg and click yes to merge the information into the registry.
    4. Reboot the machine.

    next:
    Use HijackThis to remove the following:
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\

    Search your computer for a file called:
    tgbrfv_.exe
    and delete it.

    Run Disk Cleanup and check all the boxes available that can be cleaned up:
    start > programs > accessories > system tools > disk cleanup

    rescan with updated antispyware & antivirus.

    post results.

    There may be other files related to this trojan, get an idea of what to search for here:
    http://www.microsoft.com/security/portal/Entry.aspx?name=TrojanDownloader:Win32/Zlob
     
    Last edited: 2007/07/11
    TonyT,
    #12
  14. 2007/07/11
    Deelah

    Deelah Inactive Thread Starter

    Joined:
    2007/07/05
    Messages:
    11
    Likes Received:
    0
    Okay I merged the fsyaxe into the registry, removed the two things from Hijackthis, searched for the file tgbrfv_.exe but it was not on the computer, ran disk clean up, and ran scans.

    ad aware still found the same trojan but the antispyware came up clean.
     
    Deelah,
    #13
  15. 2007/07/11
    Deelah

    Deelah Inactive Thread Starter

    Joined:
    2007/07/05
    Messages:
    11
    Likes Received:
    0
    OH and after I looked on the site I searched for the file cmd.exe and found it. I dont know if this helps.
     
    Deelah,
    #14
  16. 2007/07/11
    TonyT

    TonyT SuperGeek Staff

    Joined:
    2002/01/18
    Messages:
    9,072
    Likes Received:
    400
    cmd.exe is a valid file but could have been replaced by the trojan. Check the file properties & inspect the dates.

    download this free utility called Autoruns.
    http://www.microsoft.com/technet/sysinternals/utilities/Autoruns.mspx
    Run it and go to Options menu and select "hide signed microsoft entries "
    Press the refresh button.
    Go to File menu > sav as > autoruns.txt
    copy+paste the text inbetween code tags.
    code tags are like this (with no Xs): [Xcode] text here [X/code]
     
    Last edited: 2007/07/11
    TonyT,
    #15
  17. 2007/07/11
    Deelah

    Deelah Inactive Thread Starter

    Joined:
    2007/07/05
    Messages:
    11
    Likes Received:
    0

    Okay. the file cmd.exe hasnt been modified since it was created, August 03, 2004

    Code:
     HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run			
+ Adobe Photo Downloader	Adobe Photoshop Album Starter Edition 3.0 component	Adobe Systems Incorporated	c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe
+ Athan	 Automatic Athan (Azan)  five times a day for every prayer time. It covers more than 5 million cities, towns, and villages all over the world. 	www.IslamicFinder.org	c:\program files\athan\athan.exe
+ ATIPTA	ATI Desktop Control Panel	ATI Technologies, Inc.	c:\program files\ati technologies\ati control panel\atiptaxx.exe
+ AVG7_CC	AVG Control Center	GRISOFT, s.r.o.	c:\program files\grisoft\avg free\avgcc.exe
+ ccApp	Symantec User Session	Symantec Corporation	c:\program files\common files\symantec shared\ccapp.exe
+ FaxCenterServer4_in_1			c:\program files\lexmark 4200 series\fax\fm3032.exe
+ Lexmark 4200 Series	Lexmark 4200 Series Button Manager	Lexmark International, Inc.	c:\program files\lexmark 4200 series\lxbmbmgr.exe
+ Netscape		Netscape Communications Corporation	c:\program files\common files\ispcomp\installservice.exe
+ QuickTime Task		Apple Computer, Inc.	c:\program files\quicktime\qttask.exe
+ SunJavaUpdateSched	Java(TM) 2 Platform Standard Edition binary	Sun Microsystems, Inc.	c:\program files\java\jre1.5.0_06\bin\jusched.exe
+ vptray	Symantec AntiVirus	Symantec Corporation	c:\program files\symantec antivirus\vptray.exe
+ ZoneAlarm Client	ZoneAlarm Client	Zone Labs, LLC	c:\program files\zone labs\zonealarm\zlclient.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup			
+ CallWave.lnk	Internet Answering Machine	CallWave, Inc.	c:\program files\callwave\iam.exe
+ Kodak EasyShare software.lnk	KODAK EasyShare Software		c:\program files\kodak\kodak easyshare software\bin\easyshare.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run			
+ Aim6	AIM	AOL LLC	c:\program files\aim6\aim6.exe
+ Juno_uoltray	ZCast	NetZero	c:\program files\juno\exec.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved			
+ AVG7 Find Extension	AVG Shell Extension	GRISOFT, s.r.o.	c:\program files\grisoft\avg free\avgse.dll
+ AVG7 Shell Extension	AVG Shell Extension	GRISOFT, s.r.o.	c:\program files\grisoft\avg free\avgse.dll
+ Display Panning CPL Extension			File not found: deskpan.dll
+ HyperTerminal Icon Ext	HyperTerminal Applet Library	Hilgraeve, Inc.	c:\windows\system32\hticons.dll
+ LDVP Shell Extensions	Symantec AntiVirus	Symantec Corporation	c:\program files\common files\symantec shared\ssc\vpshell2.dll
+ Multiscan	zlavscan shell extension	Zone Labs, LLC	c:\program files\zone labs\zonealarm\zlavscan.dll
HKLM\Software\Classes\Folder\Shellex\ColumnHandlers			
+ PDF Shell Extension	PDF Shell Extension	Adobe Systems, Inc.	c:\program files\common files\adobe\acrobat\activex\pdfshell.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects			
+ Adobe PDF Reader Link Helper	Adobe PDF Helper for Internet Explorer	Adobe Systems Incorporated	c:\program files\common files\adobe\acrobat\activex\acroiehelper.dll
+ PBlockHelper Class			c:\program files\netscape internet service\netscape web accelerator\pbhelper.dll
+ Popup-Blocker Class	Juno JunoTurbo	Juno Online Services, Inc.	c:\program files\juno\qsacc\x1iebho.dll
+ SSVHelper Class	Java(TM) 2 Platform Standard Edition binary	Sun Microsystems, Inc.	c:\program files\java\jre1.5.0_06\bin\ssv.dll
+ {53707962-6F74-2D53-2644-206D7942484F}	Bad download blocker	Safer Networking Limited	c:\program files\spybot - search & destroy\sdhelper.dll
HKLM\Software\Microsoft\Internet Explorer\Toolbar			
+ toolbar.dll	Toolbar Module		c:\program files\juno\toolbar.dll
HKLM\Software\Microsoft\Internet Explorer\Extensions			
+ Yahoo! Messenger	Yahoo! Messenger	Yahoo! Inc.	c:\program files\yahoo!\messenger\yahoomessenger.exe
HKLM\System\CurrentControlSet\Services			
+ Ati HotKey Poller	ATI External Event Utility EXE Module	ATI Technologies Inc.	c:\windows\system32\ati2evxx.exe
+ ATI Smart	ATI Smart		c:\windows\system32\ati2sgag.exe
+ Avg7Alrt	AVG Alert Manager	GRISOFT, s.r.o.	c:\program files\grisoft\avg free\avgamsvr.exe
+ Avg7UpdSvc	AVG Update Service	GRISOFT, s.r.o.	c:\program files\grisoft\avg free\avgupsvc.exe
+ AVGEMS	AVG E-Mail Scanner	GRISOFT, s.r.o.	c:\program files\grisoft\avg free\avgemc.exe
+ ccEvtMgr	Event propagation and logging service	Symantec Corporation	c:\program files\common files\symantec shared\ccevtmgr.exe
+ ccSetMgr	Settings storage and management service	Symantec Corporation	c:\program files\common files\symantec shared\ccsetmgr.exe
+ DefWatch	Monitors and maintains virus definitions.	Symantec Corporation	c:\program files\symantec antivirus\defwatch.exe
+ LexBceS	LexBce Service	Lexmark International, Inc.	c:\windows\system32\lexbces.exe
+ Symantec AntiVirus	Provides real-time virus scanning, reporting, and management functionality for Symantec AntiVirus.	Symantec Corporation	c:\program files\symantec antivirus\rtvscan.exe
+ vsmon	Monitors internet traffic and generates alerts for disallowed access.	Zone Labs, LLC	c:\windows\system32\zonelabs\vsmon.exe
+ WebFilter	Provides Internet filtering services for your PC.		c:\program files\blue coat k9 web protection\k9filter.exe
HKLM\System\CurrentControlSet\Services			
+ ati2mtag	ATI Radeon WindowsNT Miniport Driver	ATI Technologies Inc.	c:\windows\system32\drivers\ati2mtag.sys
+ atirage3	ATIRAGE3 Miniport Driver	ATI Technologies Inc.	c:\windows\system32\drivers\atimpae.sys
+ Avg7Core	AVG Scanning Engine	GRISOFT, s.r.o.	c:\windows\system32\drivers\avg7core.sys
+ Avg7RsW	AVG Resident Shield Unload Helper	GRISOFT, s.r.o.	c:\windows\system32\drivers\avg7rsw.sys
+ Avg7RsXP	AVG Resident Anti-Virus Shield	GRISOFT, s.r.o.	c:\windows\system32\drivers\avg7rsxp.sys
+ AvgClean	AVG7 Clean Driver	GRISOFT, s.r.o.	c:\windows\system32\drivers\avgclean.sys
+ AvgTdi	AVG Network connection watcher	GRISOFT, s.r.o.	c:\windows\system32\drivers\avgtdi.sys
+ crtaud	Conexant Audio Driver	Conexant Systems Inc.	c:\windows\system32\drivers\crtaud.sys
+ cwmtdi			c:\windows\system32\drivers\cwmtdi.sys
+ eeCtrl	Symantec Eraser Control Driver	Symantec Corporation	c:\program files\common files\symantec shared\eengine\eectrl.sys
+ EraserUtilRebootDrv	Symantec Eraser Utility Driver	Symantec Corporation	c:\program files\common files\symantec shared\eengine\eraserutilrebootdrv.sys
+ es1371	ENSONIQ AudioPCI 97 WDM Audio Miniport	Creative Technology Ltd.	c:\windows\system32\drivers\es1371mp.sys
+ GMSIPCI			File not found: E:\INSTALL\GMSIPCI.SYS
+ HSF_DP	HSF_DP driver	Conexant Systems, Inc.	c:\windows\system32\drivers\hsfdpsp2.sys
+ HSFHWBS2	HSF_HWB2 WDM driver	Conexant Systems, Inc.	c:\windows\system32\drivers\hsfbs2s2.sys
+ mdmxsdk	Diagnostic Interface DRIVER	Conexant	c:\windows\system32\drivers\mdmxsdk.sys
+ MSICPL			File not found: E:\install4\MSICPL.sys
+ NAVENG	AV Engine	Symantec Corporation	c:\program files\common files\symantec shared\virusdefs\20070707.016\naveng.sys
+ NAVEX15	AV Engine	Symantec Corporation	c:\program files\common files\symantec shared\virusdefs\20070707.016\navex15.sys
+ NTACCESS			File not found: E:\NTACCESS.sys
+ Ptilink	Direct Parallel Link Driver	Parallel Technologies, Inc.	c:\windows\system32\drivers\ptilink.sys
+ PxHelp20	Px Engine Device Driver for Windows 2000/XP	Sonic Solutions	c:\windows\system32\drivers\pxhelp20.sys
+ rpfun	Dummy driver	Conexant Systems Inc.	c:\windows\system32\drivers\rpfun.sys
+ rthwcls	Conexant AmcHal Driver for Riptide	Conexant Systems Inc.	c:\windows\system32\drivers\rthwcls.sys
+ SAVRT	AutoProtect	Symantec Corporation	c:\program files\symantec antivirus\savrt.sys
+ SAVRTPEL	SAVRTPEL	Symantec Corporation	c:\program files\symantec antivirus\savrtpel.sys
+ Secdrv	SafeDisc driver		c:\windows\system32\drivers\secdrv.sys
+ SetupNTGLM7X			File not found: E:\NTGLM7X.sys
+ SPBBCDrv	SPBBC Driver	Symantec Corporation	c:\program files\common files\symantec shared\spbbc\spbbcdrv.sys
+ srescan	srescan	Zone Labs, LLC	c:\windows\system32\zonelabs\srescan.sys
+ SymEvent	Symantec Event Library	Symantec Corporation	c:\program files\symantec\symevent.sys
+ SYMREDRV	Redirector Filter Driver	Symantec Corporation	c:\windows\system32\drivers\symredrv.sys
+ SYMTDI	Network Dispatch Driver	Symantec Corporation	c:\windows\system32\drivers\symtdi.sys
+ vsdatant	TrueVector Device Driver	Zone Labs, LLC	c:\windows\system32\vsdatant.sys
+ winachsf	HSF_CNXT driver	Conexant Systems, Inc.	c:\windows\system32\drivers\hsfcxts2.sys
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify			
+ AtiExtEvent	ATI External Event Utility DLL Module	ATI Technologies Inc.	c:\windows\system32\ati2evxx.dll
+ NavLogon	Symantec AntiVirus Logon Notification	Symantec Corporation	c:\windows\system32\navlogon.dll
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors			
+ Fax Lexmark 4200 Series Port			c:\windows\system32\lxbrpmon.dll
+ Lexmark Network Port	LEXLMPM DLL	Lexmark International, Inc.	c:\windows\system32\lexlmpm.dll
     
    Last edited: 2007/07/11
    Deelah,
    #16
  18. 2007/07/13
    TonyT

    TonyT SuperGeek Staff

    Joined:
    2002/01/18
    Messages:
    9,072
    Likes Received:
    400
    Go to Start > Run
    type this: regedit

    Go to Edit Menu > Find
    copy+paste this into the Find dialog:
    Code:
    {b8c5186e-ec37-4889-9c2e-f73649ffb7bb}
    Click ONE time on opened folder
    Go to Edit Menu > Export
    Save as "locked-key.reg ".

    note: the "opened folder may be a child folder, so also export the "parent" folder as well and Save as parent.reg.

    Copy+paste the contents of each inside code tags here. I want to inspect these keys and can possibly create a reg file that can be merged that removes the key.

    Also, while there in the registry, rt click the "undeletable" key and select Permissions and see if you have Full control of the key. If not, try to change permission so you can delete it.

    Also, you should be a member of the Administrators Group when doing actions like this. If not, logon as Administrator and try to delete the key in question.
     
    Last edited: 2007/07/13
    TonyT,
    #17
  19. 2007/07/13
    Deelah

    Deelah Inactive Thread Starter

    Joined:
    2007/07/05
    Messages:
    11
    Likes Received:
    0
    Hello!!! THANK YOU SO MUCH!!! The problem was I didn't have permission as a administrator to change the key. Even though I was on the administratoion login. So I deleted it and ran the adaware scan and zip nothing came up. It seems to be gone. I thought I was going to have to re install windows over and I'm so glad I found you guys first. I'm going to keep scaning over the next couple of days to make sure. THANK YOU AGAIN! :D

    YOU ROCK!!!!!!!!
     
    Deelah,
    #18
  20. 2007/07/13
    TonyT

    TonyT SuperGeek Staff

    Joined:
    2002/01/18
    Messages:
    9,072
    Likes Received:
    400
    Great news & very well done!
    Post back in this same thread in a couple days to let us know how things are going as a result.
    tt
     
    TonyT,
    #19
  21. 2007/07/15
    Deelah

    Deelah Inactive Thread Starter

    Joined:
    2007/07/05
    Messages:
    11
    Likes Received:
    0
    Hello... just following up. Everything seems fine. Comp working well and no sign of the virus. I have been running the scans to make sure and it seems to be gone for good.. Thank you so much again!
     
    Deelah,
    #20
Page 1 of 2

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...